From: Sasha Levin <sashal@kernel.org>
Date: Mon, 13 Jun 2022 05:20:50 +0000 (-0400)
Subject: Fixes for 4.9
X-Git-Tag: v4.9.318~69
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=945af2f863a87ed47f7ecc7eef05a5aa30294a33;p=thirdparty%2Fkernel%2Fstable-queue.git

Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-4.9/series b/queue-4.9/series
index f4a975c9dfd..c8559e98c57 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -155,3 +155,4 @@ revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch
 drm-radeon-fix-a-possible-null-pointer-dereference.patch
 modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch
 nodemask-fix-return-values-to-be-unsigned.patch
+vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
diff --git a/queue-4.9/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch b/queue-4.9/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
new file mode 100644
index 00000000000..84f105894e2
--- /dev/null
+++ b/queue-4.9/vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
@@ -0,0 +1,63 @@
+From 9e8ed5086092eafdef689cc5a469371020012c53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 May 2022 18:09:10 +0800
+Subject: vringh: Fix loop descriptors check in the indirect cases
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+[ Upstream commit dbd29e0752286af74243cf891accf472b2f3edd8 ]
+
+We should use size of descriptor chain to test loop condition
+in the indirect case. And another statistical count is also introduced
+for indirect descriptors to avoid conflict with the statistical count
+of direct descriptors.
+
+Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Fam Zheng <fam.zheng@bytedance.com>
+Message-Id: <20220505100910.137-1-xieyongji@bytedance.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vringh.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
+index da47542496cc..63f0ab3e6f63 100644
+--- a/drivers/vhost/vringh.c
++++ b/drivers/vhost/vringh.c
+@@ -262,7 +262,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
+ 	     gfp_t gfp,
+ 	     int (*copy)(void *dst, const void *src, size_t len))
+ {
+-	int err, count = 0, up_next, desc_max;
++	int err, count = 0, indirect_count = 0, up_next, desc_max;
+ 	struct vring_desc desc, *descs;
+ 	struct vringh_range range = { -1ULL, 0 }, slowrange;
+ 	bool slow = false;
+@@ -319,7 +319,12 @@ __vringh_iov(struct vringh *vrh, u16 i,
+ 			continue;
+ 		}
+ 
+-		if (count++ == vrh->vring.num) {
++		if (up_next == -1)
++			count++;
++		else
++			indirect_count++;
++
++		if (count > vrh->vring.num || indirect_count > desc_max) {
+ 			vringh_bad("Descriptor loop in %p", descs);
+ 			err = -ELOOP;
+ 			goto fail;
+@@ -381,6 +386,7 @@ __vringh_iov(struct vringh *vrh, u16 i,
+ 				i = return_from_indirect(vrh, &up_next,
+ 							 &descs, &desc_max);
+ 				slow = false;
++				indirect_count = 0;
+ 			} else
+ 				break;
+ 		}
+-- 
+2.35.1
+